NEWS FROM THE LAB - Tuesday, November 20, 2012

A New Linux Rootkit Posted by Sean @ 11:48 GMT

Details of a new Linux rootkit turned up on SecLists.Org's Full Disclosure Mailing List last week: linux rootkit in combination with nginx.


CrowdStrike has excellent analysis of it here: HTTP iframe Injecting Linux Rootkit.

CrowdStrike's key findings:

  •  The rootkit is generally crime related rather than a specialized targeted attack. It drives traffic to exploit kits.
  •  It appears to be new rather than a modified version of known rootkits.
  •  It is probably Russian in origin.

Our analysts are investigating the sample now.